Archive for the ‘Shell Scripts’ tag

I recently found the need to be able to turn on SSH access for only a certain user. The idea is to have an unprivileged user enabled for SSH so that Apple Remote Desktop can have its traffic wrapped in an SSH tunnel. For details see the Apple Remote Desktop 3.2 – Administrator’s Guide page 83. Using the unprivileged user is only one small part of trying to make the system reasonably secure while still allowing you to admin the systems remotely. You still need to set firewall rules and a few other things.

At least sense 10.6.8 Apple has been using two access groups in the local LDAP to control access to the SSH service. When you first setup a system and haven’t touched the Remote Login settings there are no access control groups for SSH in /Local/Default/Groups. If you turn on SSH you will get com.apple.access_ssh. If you limit who can login to SSH those users are added to the access group by the system. To enable SSH with a single user you would thing you can create the access group and add users using dseditgroup. That would work for a fresh system but if you have ever enabled then disabled SSH you will have a com.apple.access_ssh-disabled group. Changing SSH access in the GUI is easy and the system removes and adds these groups for you and you can watch all of it happen using dscl then list the contents of /Local/Default/Groups as you make changes.

The following is my shell script remove the groups, add the right group, add a user to the to that group and turn on ssh. Maybe this will help someone.

#!/bin/sh
# script to enable a particular user of SSH of OS X systems
# Marc Kerr http://marckerr.com 5/31/13
# Use this as you like. No guarantees
USERNAME="somebody"
# Check that root is running the script otherwise nothing works
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# Disable SSH to start with regardless of if it's on.
systemsetup -setremotelogin off
# Delete all associated SSH groups to start fresh.
# Whether the groups exist or not they will be removed.
for group in com.apple.access_ssh-disabled com.apple.access_ssh
do
dseditgroup -o delete -q $group
done
# now we can create the access group and add the user(s)
dseditgroup -o create -q com.apple.access_ssh
deseditgroup -o create -q $USERNAME -t user com.apple.access_ssh
# Turn SSH back on
systemsetup -setremotelogin on
exit 0

Here is a script I’ve pieced together to create a hidden user on OS X as a Standard user then set that user with ARD privileges. Not giving the user admin privileges really doesn’t protect from an ARD hack or someone with the password to that user because the ARD agent on the client machine will run remote commands as root. It would prevent a “Screen Sharing” user from doing anything as an admin.

#!/bin/sh
# This script will let you create a hidden standard user with any short name you want
# to get a username and password prompt use Option + down arrow then Command + Return
# This script is based on several sources:
# http://support.apple.com/kb/HT5017?viewlocale=en_US
# http://apple.stackexchange.com/questions/82472/what-steps-are-needed-to-create-a-new-user-from-the-command-line-on-mountain-lio
# http://www.tonymacx86.com/mac-os-x-support/87058-guide-how-make-hidden-admin-account-mac-osx.html
# http://support.apple.com/kb/ht2370
# This standard user is given Apple Remote Desktop access.
# For interactivity use the following
# Set the variable USERNAME
echo "Enter the Username of the account you want to create."
read USERNAME
echo "Enter the Pass Phrase of the account you want to create."
# Get settings for terminal then disable echo to hide typing of the password
oldmodes=`stty -g`
stty -echo
#This will make the variable PASSWORD
read PASSWORD
#sets term back to its original settings
stty $oldmodes
# If you dont' want interactivity comment out the previous and use these commands
# USERNAME="username"
# PASSWORD="User a passphrase"
#This makes the account and puts it into the admin group
dscl . create /Users/$USERNAME
dscl . create /Users/$USERNAME UniqueID 405
dscl . create /Users/$USERNAME PrimaryGroupID 20
dscl . create /Users/$USERNAME NFSHomeDirectory /private/var/$USERNAME
dscl . create /Users/$USERNAME UserShell /bin/bash
# because we are using a passphrase the variable needs to be in quotes.
dscl . passwd /Users/$USERNAME "$PASSWORD"
### Enable ARD
# Set ARD for a specific user with specific access privileges
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \
-activate -configure -access -on -users $USERNAME \
-privs -DeleteFiles -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings
# you must also set the specifiedUsers option to limit access to the individual user
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \
-configure -allowAccessFor -specifiedUsers -restart -agent -menu
# Users with a UID less than 500 will be hidden with this
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
# This makes the account hidden
defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array $USERNAME
# This makes the Other in the login window dissapear
defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE
# Create the users home directory
createhomedir -c -u $USERNAME
exit 0